HitmanPro.Alert BETA

do you use mbam free (on-demand)?

 

On one system I use MBAM free and on another I run it with all real-time protections enabled. It gets along fine with HMP.A

 

After update Norton Security to v22.10.0.85 high CPU (> 20%) with build 712. And multiple PrivGuard-alerts build 712 with Sandboxie 5.20 (x64).

Logboeknaam: Application
Bron: HitmanPro.Alert
Datum: 20-7-2017 10:59:22
Gebeurtenis-id:911
Taakcategorie: Mitigation
Niveau: Fout
Trefwoorden: Klassiek
Gebruiker: n.v.t.
Computer: ****
Beschrijving:
Mitigation PrivGuard
Platform 10.0.15063/x64 v712 06_17*
PID 6944
Application C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe
Description Sandboxie COM Services (DCOM) 5.20
Sweep
Code Injection
0000000000180000-0000000000186000 24KB C:\Program Files\Sandboxie\SbieSvc.exe [2752]
0000000000190000-0000000000191000 4KB
00007FF9C97E9000-00007FF9C97EA000 4KB
Process Trace
1 C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe [6944]
2 C:\Program Files\Sandboxie\SandboxieRpcSs.exe [6912]
3 C:\Program Files\Sandboxie\SbieSvc.exe [2752]

Win10 1703 build 15063.483 x64/Norton Security v22.10.0.85

 

Errors with HitmanPro.Alert Build 710 CTP4

Mitigation Problems:

• Detects Kaspersky AntiRansomware Tool for Business 1.1 as a CredGuard mitigation
• Detects PRTG Network Monitor (PRTG Probe.exe) as a Lockdown Mitigation
• Detects FireFox as a LoadLib mitigation
• Detects C:\Windows\splwow64.exe as an APC Violation (had to turn off APC detection or I got one of these every minute)

Had to Disable Keystroke Encryption in Risk Reduction or sometimes saw only random characters while typing. Reproducable, but random.

System information:

Platform: 10.0.15063/x64 v710 06_3c
OS: Windows 10 Pro x64 upgraded from windows 7 Pro
Hardware: Dell Optiplex 9020, 8gb RAM
Drives: 256gb boot disk (Crucial_CT275MX300SSD1), 1TB datadrive (WDC WD10EZEX-75WN4A0)
Processor: Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz
BIOS ver: DELL - 1072009

 

Issue with HMP.A build712:
The window add/remove windows-features shows only plain white, no content
With HMP.A uninstalled things went back to normal.

 

Same here, blank screen with 'Turn Windows features on or off' with 712 installed. Didn't verify by uninstalling though ...

 

I wonder if build 712 addressed any of these.

 

I am running 3.7.0 build 712, Beta and this program will only start if I disable Code Cave Mitigation.

Program specific I disabled Enforce DEP and IAT filtering and I don't want to disable systemwide Code Cave Mitigation. Is this solvable in Hitmanpro.Alert?

Mitigation IAF
Platform 10.0.14393/x64 v712 06_5e
PID 2420
Application C:\Program Files (x86)\BreezeSys\Downloader Pro\Downloader.exe
Description Downloader Pro: digital photo download utility 2.2.8
Violation 73D146FE is calling AcLayers.DLL IAT funcptr kernel32.dll!GetModuleHandleA
Stack Trace
# Address Module Location
-- -------- ------------------------ ----------------------------------------
1 73D146FE hmpalert.dll +0x446fe
ff1514f1d473 CALL DWORD [0x73d4f114]
68b874d673 PUSH DWORD 0x73d674b8
50 PUSH EAX
ff15acf0d473 CALL DWORD [0x73d4f0ac]
8bf0 MOV ESI, EAX
8935fc17d873 MOV [0x73d817fc], ESI
85f6 TEST ESI, ESI
7511 JNZ 0x73d1472d
32c0 XOR AL, AL
5e POP ESI
8b4dfc MOV ECX, [EBP-0x4]
33cd XOR ECX, EBP
e8b4200200 CALL 0x73d367dd
8be5 MOV ESP, EBP
5d POP EBP
c3 RET
2 73CE69DF hmpalert.dll +0x169df
3 73CF6EEB hmpalert.dll +0x26eeb
4 73D07187 hmpalert.dll +0x37187
5 7736E58E ntdll.dll RtlDecompressBuffer +0xee
6 77340E46 ntdll.dll
7 773410F0 ntdll.dll
8 77367636 ntdll.dll LdrInitializeThunk +0xb6
9 77367590 ntdll.dll LdrInitializeThunk +0x10
Process Trace
1 C:\Program Files (x86)\BreezeSys\Downloader Pro\Downloader.exe [2420]
2 C:\Windows\explorer.exe [3436]
3 C:\Windows\System32\userinit.exe [2992]
4 C:\Windows\System32\winlogon.exe [948]
winlogon.exe
5 C:\Windows\System32\smss.exe [688]
\SystemRoot\System32\smss.exe 000000bc 0000007c
Thumbprint
7c264736d24df74a3e1523e09b308652167814996f78b9437af9370c1722f2b1

 

In case it helps to pinpoint the issue -- I'm running 712 on a Windows 7 x64 SP1 system, and that add/remove box shows up normally here, there's no text missing.

 

THX @JEAM,
but the issue is not related to the OS.
I'm running WIN8.1 on my laptop too, but the issue only exists on my office machine.
Tried several things, reverting back to build 604, uninstalling sandboxie and so on..., but the issue stayed.
So for now, I uninstalled HMP.A, to get my OS to normal function.

 

I noticed that issue of a blank/empty Windows Features list (Turn Windows Features on or off) on one of my Windows 7 x64 systems, last May, most probably May 17.
On that system, when I noticed that issue, the installed HMPA version must have been 3.6.5.592, most probably.
At that time, I didn't think of HMPA being the cause of the issue.
May 9, I had manually installed D3DCompiler_47.dll (a (dependency for installing Microsoft .NET Framework 4.7, before D3DCompiler_47.dll was included in June 13, 2017, Monthly Rollup) and I manually installed Microsoft .NET Framework 4.7 (before it was offered through Windows Update, later).
When I noticed the blank/empty Windows Features list (Turn Windows Features on or off), I thought the manual D3DCompiler_47.dll plus .NET Framework 4.7 installation may have caused the issue. I didn't think of HMPA being the cause of the issue.
May 18, I ran Microsoft System Update Readiness tool to fix the Windows Features list (Turn Windows Features on or off) issue.
It is hard to tell if it was HMPA, or manually installing D3DCompiler_47.dll plus .NET Framework 4.7, or something else, that had caused the issue.

My other Windows 7 x64 system did not have the blank/empty Windows Features list (Turn Windows Features on or off) issue.
On that system, May 17, the installed HMPA version may have been 3.6.5.592 as well, recently updated from 3.6.4.588.
On that system, .NET Framework 4.7 was installed through Windows Update, much later, only June 30.

Today, with HMPA 3.6.7.604 and .NET Framework 4.7 on both my Windows 7 x64 systems, there is no issue with Windows Features list (Turn Windows Features on or off).
I haven't tested the HMPA 3.7 beta series.

 

This is an example of malware that's capable of stealing credentials, and it's currently out of the scope of HMPA. I wonder if Mark and Erik are still active, or perhaps they are on a break?

https://www.proofpoint.com/us/threa...idiy-stealer-bringing-credential-theft-masses

 

Just updated Chrome and this is what I got:

Mitigation PrivGuard

Platform 6.1.7601/x64 v712 1f_06
PID 4992
Application C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
Description Google Chrome 60

Sweep

Code Injection
00080000-00081000 4KB C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [6376]
00095000-00096000 4KB
7769C000-7769D000 4KB
1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [6376]
2 C:\Windows\explorer.exe [6468]
3 C:\Windows\System32\userinit.exe [6804]
4 C:\Windows\System32\winlogon.exe [4968]
winlogon.exe
5 C:\Windows\System32\smss.exe [6744]
\SystemRoot\System32\smss.exe 00000000 00000040
6 C:\Windows\System32\smss.exe [316]
\SystemRoot\System32\smss.exe
7 [4]

Process Trace
1 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [4992]
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1320,2928204780374349991,2688739629206415263,131072 --service-pipe-token=9F24F32B41F8E1E4589A7155F2927BC9 --lang=en-US --extension-process --enable-offline-a
2 C:\Program Files (x86)\Google\Chrome\Application\chrome.exe [6376]
3 C:\Windows\explorer.exe [6468]
4 C:\Windows\System32\userinit.exe [6804]
5 C:\Windows\System32\winlogon.exe [4968]
winlogon.exe
6 C:\Windows\System32\smss.exe [6744]
\SystemRoot\System32\smss.exe 00000000 00000040
7 C:\Windows\System32\smss.exe [316]
\SystemRoot\System32\smss.exe
8 [4]

Oh and again I'm running Chrome inside SBIE...

 

The HMP.A crashes on IE11 in Windows 7 just keep coming -- two more interrupted my typing this post!

This is getting pretty annoying. It looks like sometimes the browser tries to reload the information on the tabs that are open (they are not known to be self-refreshing pages), and then the crash occurs. (Not sure about this analysis.) The crashes seem to happen in clusters, with nothing bad going on for a while, and then a rash of them. More crashes if more tabs are open.

 

Not here.

 

Still experiencing a suspect interaction for cumulative updates (now Win 10 August cumulative update KB4032188 ) between WU, dism / sfc and HMPA build 712, as I did with two previous cumulative updates (above) on my primary Win 10 Pro x64 machine.

Windows Update does not pick up on the cumulative update.

If I then try to run a dism or sfc, they fail unless I stop / disable the HMPA service. After that, dism and sfc run but don't find a problem. But WU still doesn't find the update.

If I then try and run the KB offline installer from the MS catalog, it runs all the way through but fails to install at the end.

I then decided to uninstall HMPA completely. WU then did find the update but it failed during the download (did not note the error code).

However, on reinstalling the KB via the offline installer, it installed successfully.

I currently have HMPA uninstalled. Not sure whether to reinstall build 712 now, or maybe go to the last stable build. Could just be a question of disabling one of the protections (I do have Credential Theft Protection disabled because of Macrium), but wouldn't know where to start.

I leave my laptop on overnight, and usually find memory is nearly all used up in the morning (memory leak?). However this, didn't seem to happen last night with HMPA uninstalled ...

Not sure all these interactions are related, as surely others would have had issues. But, just saying, that is what I am experiencing, somewhat consistently.

 

Glad you mentioned this. I uninstalled HMPA, and now I see that I have a lot of updates waiting for me. They were inaccessible to me, beforehand.

 

The same as paulderdash, HMPA 3.7.0.712 beta and Windows 10?
Or another Windows version, or even HMPA 3.6.7.604 stable?

 

Yes, would be good if we could rule out 604 stable. But at least @shmu26's experience would indicate there is a problem.

Edit: I think the problem is only with cumulative updates, not with standalone updates like Flash or Office.

 

My setup is like yours: Win 10, HMPA 3.7.0.712 beta

 

No Windows Update issues with HMPA 3.6.7.604 stable on my Windows 7 x64 systems.
I don't know about HMPA 3.6.7.604 stable and Windows 10.

 

I'm running Build 604 and Windows 10. The last cumulative update automatically installed by Windows Update was "2017-07 Cumulative Update for Windows 10 Version 1607 for x64-based Systems (KB4025339)". When I perform a search on the Windows Update Catalog, I see cumulative updates that are more recent when sorted by the Last Updated column, however, their KB numbers are sequentially lower, so I believe that I am receiving windows updates normally.

 

OK, so you are still on Version 1607 ...

I force updated to Version 1703 (Creator's Update) shortly after it became available, and have been on HMPA build 712 beta since July 9, and before that, since June 11, build 710 beta.

I have had issues with KB4022716 (June 27), KB4025342 (July 11) and now KB4032188 (Aug 1).

@Stupendous Man has had no issues on Win 7, and it seems you neither, with build 604, so it may be an interaction with 1703 and build 7nn.

@shmu26 Are you on Version 1703?

Again, I can't say for sure it is HMPA, but it does seem to play some role on my system, with dism anyway. Does WU invoke dism?

Edit: Post corrected regarding HMPA builds in use.

 

I'm also running HMPA Build 604 and Windows 10 1607. Updated OK to the last Win 10 cumulative update 2017-07. Plan to stay with 1607 a little while longer, MS is still patching 1703 with a long list of fixes this month.

 

I installed HitmanPro and made some observations:

1) HitmanPro will only detect something when it's not located in the Program Files directory (whitelisting?)
2) HitmanPro uses the Kaspersky database for it's scanning.

For example the scan on my system produced 45 results for Process Hacker inside the temp directory:
http://i.imgur.com/h0apqTy.png

The Process Hacker updater downloads the setup into the Temp directory during the update process and (since the setup is also used for uninstallation) the same file is copied into the Program Files directory:
http://i.imgur.com/cwINa1M.png

However, HitmanPro did not detect the exact same files inside the Program Files directory?

Entries named "not-a-virus" are also shown as malware and quarantined by HitmanPro?
http://i.imgur.com/xARMrn5.png

Does HitmanPro have a choice in how to handle different types of detections via the Kaspersky API and have they given anyone guidance on how to handle those types of entries?

Thanks

-dmex
Lead Developer
Process Hacker